Module Name: src Committed By: maxv Date: Sun Apr 20 21:26:51 UTC 2014
Modified Files: src/sys/kern: vfs_syscalls.c Log Message: This thing is totally buggy: 'data_len' is modified by the fs, so calling kmem_free with it while its value has changed since the kmem_alloc is far from being a good idea. If the kernel figures out that something mismatches, it will panic (typically with kernfs). To generate a diff of this commit: cvs rdiff -u -r1.481 -r1.482 src/sys/kern/vfs_syscalls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/vfs_syscalls.c diff -u src/sys/kern/vfs_syscalls.c:1.481 src/sys/kern/vfs_syscalls.c:1.482 --- src/sys/kern/vfs_syscalls.c:1.481 Fri Apr 18 05:22:13 2014 +++ src/sys/kern/vfs_syscalls.c Sun Apr 20 21:26:51 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls.c,v 1.481 2014/04/18 05:22:13 maxv Exp $ */ +/* $NetBSD: vfs_syscalls.c,v 1.482 2014/04/20 21:26:51 maxv Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -70,7 +70,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.481 2014/04/18 05:22:13 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.482 2014/04/20 21:26:51 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_fileassoc.h" @@ -454,6 +454,7 @@ do_sys_mount(struct lwp *l, struct vfsop struct vnode *vp; void *data_buf = data; bool vfsopsrele = false; + size_t alloc_sz = 0; int error; /* XXX: The calling convention of this routine is totally bizarre */ @@ -502,7 +503,8 @@ do_sys_mount(struct lwp *l, struct vfsop error = EINVAL; goto done; } - data_buf = kmem_alloc(data_len, KM_SLEEP); + alloc_sz = data_len; + data_buf = kmem_alloc(alloc_sz, KM_SLEEP); /* NFS needs the buffer even for mnt_getargs .... */ error = copyin(data, data_buf, data_len); @@ -538,7 +540,7 @@ do_sys_mount(struct lwp *l, struct vfsop vrele(vp); } if (data_buf != data) - kmem_free(data_buf, data_len); + kmem_free(data_buf, alloc_sz); return (error); }